Tools

Blocking command line access

Our normal Group Policies include disabling the command prompt for interactive use (i.e. user typing at a prompt), but not for scripting purposes.

Running any program located outside of allowed locations is blocked by Software Restriction Policies in our Group Policies, but again, access to the various systems tools is required. Similarly, all drives except for those explicitly containing data (not applications), e.g. the home area, shared resources, etc. will be blocked.

These methods stop most casual attempts at gaining command line access. However, stopping access to the command prompt entirely will interfere with the login process, so care must be taken.

There are two routes to a command prompt: cmd.exe and command.com. The Group Policy referred to above will block access to cmd.exe for interactive use (user will receive the error The command prompt has been disabled by your administrator. However, command.com is not affected by this group policy. To remove user access to command.com do the following:

Find WINDOWS\system32\command.com on your system drive and right click on it.